2035009 – (CVE-2021-20330) CVE-2021-20330 mongodb: specific replication command with malformed oplog entries can crash secondaries

Bug 2035009 (CVE-2021-20330) - CVE-2021-20330 mongodb: specific replication command with malformed oplog entries can crash secondaries

Summary: CVE-2021-20330 mongodb: specific replication command with malformed oplog ent...

Keywords:
Status:	NEW
Alias:	CVE-2021-20330
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2035293
Blocks:	2035010
TreeView+	depends on / blocked

Reported:	2021-12-22 17:31 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-07-07 08:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:	mongodb 4.9.0, mongodb 4.2.16, mongodb 4.0.27, mongodb 4.4.9
Doc Type:	If docs needed, set a value
Doc Text:	A denial of service attack was found in MongoDB. An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-12-22 17:31:49 UTC

An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6.

Reference:
https://jira.mongodb.org/browse/SERVER-36263

Comment 2 Yadnyawalk Tale 2022-01-27 13:53:27 UTC

Upstream patch: 
* (v4.0) https://github.com/mongodb/mongo/commit/cbec187266a9f902b3906ae8ccef2bbda0c5b27b
* (v4.2) https://github.com/mongodb/mongo/commit/865eccaf35aca29d1b71764d50227cdf853752d0
* (v4.4) https://github.com/mongodb/mongo/commit/7e053b675b100a31092e5a195e4549712c0966ce

Comment 3 Yadnyawalk Tale 2022-01-27 13:57:57 UTC

We are not planning on fixing this issue in RHUI because it affects version 3, which is in maintenance mode and will be EOL in March 2023. See RHUI lifecycle here for more information - https://access.redhat.com/support/policy/updates/rhui

Note You need to log in before you can comment on or make changes to this bug.